Perpetual IT

Hats off to the UK’s National Cyber Security Centre, or NCSC for short.

They’ve just announced a simple-to-follow set of instructions on what you can do with the apparently ever-growing number of scammy, spammy and phishy emails that coronavirus stay-home rules seem to have unleashed on us.

With an admirably broad vision, the NCSC is pitching its new campaign in two complementary articles, headlined:

We approve.

Because the last thing we want to see is that we all end up so focused on coronavirus-themed scams that we inadvertently create a loophole for those crooks who are carefully sending non-coronavirus scams in the hope of attracting less scrutiny – hiding in plain sight, as it were.

We’ve seen this problem before in the history of cybersecurity.

An early example is what many people used to call “Nigerian scams”, which was always a divisive and dangerous term to use.

Firstly, we know many Nigerians who aren’t scammers and at least some non-Nigerians who are, so it’s misleading and xenophobic to apply a criminal epithet to an entire country. (Especially a country as populous as Nigeria and with such a large diaspora.)

Secondly, and ironically, the phrase “Nigerian scammers” ended up playing into the hands of actual Nigerian scammers, who found that by openly claiming to come from one of several other countries in West Africa, they automatically became more believable, without needing to change their scams in any significant way.

In other words, the adjective “Nigerian”, when associated with the sender or the content of an email, became a proxy for “scam”, and therefore by a specious and invalid leap of logic, “non-Nigerian” came to be a proxy for “non-scam”.

A more recent example is the issue of ransomware, which tends to dominate any modern discussion of malware, to the point that some people think it’s enough to protect specifically against ransomware and to worry much less, or even hardly at all, about all the other malware threats out there.

The problem with that approach is that many, perhaps even most, ransomware attacks actually start with an infection by some other sort of malware such as a keylogger or data-stealing Trojan…

…and in many of those cases, the keylogger or data-stealer originally rode in on the back of a malware infection that arrived before that, for example malware such as the remote-control bot known as Emotet.

In other words, if you focus too narrowly on ransomware alone, then even if you block all the ransomware attacks that come your way, you may end up in very serious trouble from multiple malware infections that preceded them.

Think big!

Cybersecurity responses don’t need to be quite this targeted – because the extra cost of protecting against malware in general is negligible compared to the cost of protecting effectively against ransomware in particular.

Similarly, if you simply redefine “Nigerian scams” as “Advance fee fraud scams” – in other words, you focus on how they work instead of who may or may not be perpetrating them – you learn how to recognise fraudulent money-up-front schemes in general and protect yourself much better.

So we’re happy that the NCSC has identified that their new Suspicious Email Reporting Service (SERS) helps you deal specifically with coronavirus-themed scams.

It’s right to recognise that coronavirus scams have an importance all of their own, and to acknowledge the understandably huge community disgust they attract.

To paraphrase George Orwell, all scams are equal, but some scams are more equal than others.

But it’s also vital to remind people that phishing of all sorts is still a clear and present danger with a very broad reach, and the NCSC has done just that, too.

As the NCSC says:

Cybercriminals love phishing. Unfortunately, this is not a harmless riverbank pursuit. When criminals go phishing, you are the fish and the bait is usually contained in a scam email or text message.

The criminal’s goal is to convince you to click on the links within their scam email or text message, or to give away sensitive information (such as bank details).

So if you see something bogus and want to report it to someone, whether it’s the latest sextortion porn scam, a bogus home delivery or counterfeit face masks for sale…

…you can submit it to the easily remembered email address: report@phishing.gov.uk.

As the NCSC points out, it won’t reply to your submission – but every sample helps, because the long arm of the law says that it’s ready to act on our behalf:

If we discover activity that we believe is malicious, we may:

• seek to block the address the email came from, so it can no longer send emails
• work with hosting companies to remove links to malicious websites
• raise awareness of commonly reported suspicious emails and methods used (via partners)

Whilst the NCSC is unable to inform you of the outcome of its review, we can confirm that we do act upon every message received.

Remember that if ever a bunch of phishing scammers get their day in court, submissions of actual scam emails from real recipients around the world are powerful evidence of the global impact of their crimes.

Latest Naked Security podcast

GitHub users beware: online criminals have launched a phishing campaign to try and gain access to your accounts.

The Microsoft-owned source code collaboration and version control service reported the campaign, which it calls Sawfish, on Tuesday 14 April. Users were reporting emails that tried to lure them into entering their GitHub credentials on fake sites for a week before, it said.

The phishing campaign lures victims to domains that look similar to GitHub’s at first glance but which the company doesn’t own, such as git-hub.co, sso-github.com, and corp-github.com, the company said. Other domains misspell the ‘i’ in GitHub with an ‘l’, like glthub.info. The attacker also tried domains that look like those owned by other tech companies, such as aws-update.net and slack-app.net. Most of these domains are already down and the phisher has been swapping them out quickly, GitHub warned.

The phishing emails – which aren’t always well-written – try to raise the recipient’s alarm by suggesting that there’s something fishy going on with their account. One example, received on 4 April, asked a user to review their account activity:

It then took the user to this fake site, with a domain that GitHub says is associated with the Sawfish campaign:

The phishers appear to be targeting people based on the addresses used for public Git commits. These are updates to source code that are publicly viewable. That could explain one Redditor’s report of a phishing email sent to an address used exclusively for GitHub.

Attackers use several techniques to hide the real link destination, including URL shorteners, sometimes strung together to make it even more difficult to see the ultimate destination. They also use redirectors on compromised sites that have a legitimate-looking URL but which then send the victim to another malicious site.

Once the attacker gains access, they can download the contents of private repositories, which may be owned by the organizations they work for. They can also use GitHub OAuth tokens which authorize them to access the site for a predefined period even if the user changes their password. Alternatively, they could create a GitHub personal access token, which allows the user to access their GitHub account using the Security Assertion Markup Language (SAML). This is an open authentication standard often used for single sign-on (SSO) access. Setting up an SSH certificate to access a logged-in account is also trivial. If the victim of a phishing attack didn’t review their SSH certs, the attacker could continue accessing the account covertly for a long time.

The phishing attack even works against some kinds of two-factor authentication (2FA) attack. One 2FA option that GitHub offers is a time-based one-time password (TOTP). This is a step up from SMS-based authentication which attackers have subverted with SIM-jacking attacks. TOTP applications generate an authentication code that is valid for a certain time period, but the user still has to enter those codes into the authenticating website. The phishing site relays the TOTP code to the attacker, who then performs a man-in-the-middle attack and enters the TOTP code into GitHub.

The attack doesn’t work against hardware-based authentication systems based on WebAuthn, which GitHub began using in August 2019 as a second layer of authentication to complement TOTP codes. This includes a physical token that the attacker won’t have.

Why is this phishing campaign so important? Any phishing attack is a problem, but getting access to a GitHub user’s private repository could yield not only source code but keys to access online applications and SSH keys, along with login credentials for other online services. That’s bad enough for a private personal project, but could be devastating if the victim happens to have access to sensitive assets connected with a popular online app. That’s how hacker Kyle Milliken pwned Disqus.

What to do

Protect yourself by double-checking the destination site you end up at when following any emails, warned GitHub.

Use a password manager that will only enter your credentials into a domain that it recognizes, and get yourself a hardware security key that supports WebAuthn to access the site, it adds (which automatically means enabling 2FA).

Review the SSH keys used to access your GitHub account, verify your email addresses, and review your account’s security log to check for any phishy behaviour.

Latest Naked Security podcast

Google has kicked 49 malicious Chrome browser extensions out of its Web Store that were posing as cryptocurrency wallets in order to drain the contents of bona fide wallets.

The extensions were discovered by researchers from MyCrypto – an open-source interface for the blockchain that helps store, send and receive cryptocurrency – and from PhishFort, which sells anti-phishing protection.

On Tuesday, Harry Denley, MyCrypto Director of Security, said that malicious browser extensions aren’t new, but the targets in this campaign are: they include the cryptocurrency wallets Ledger (57% of the bad extensions targeted this wallet, making it the most targeted of all the wallets, for whatever reason), Trezor, Jaxx, Electrum, MyEtherWallet, MetaMask, Exodus, and KeepKey.

Denley said that essentially, “the extensions are phishing for secrets,” including users’ mnemonic phrases, private keys, and keystore files, which are security files used for things like identifying app developers or in SSL encryption.

Denley said that once a user entered those secrets, the malicious extensions sent an HTTP POST request to the backend, which is where the bad actors got their hands on the secrets and used them to vacuum out wallets.

MyCrypt identified 14 unique command-and-control servers (C2s) receiving data from compromised systems. After running fingerprinting analysis on the servers, the researchers found that some of them were linked. That means they likely had common bad actors pulling multiple servers’ levers.

While some of them sent the phished data back to a GoogleDocs form, most hosted their own backend with custom PHP scripts, Denley said. You can see a list of the servers here on his post.

Most of the domains are brand new: 80% of them were registered in March and April. The oldest domain, ledger.productions, is the most interconnected to other servers. That gives researchers some indication of the same backend kit or the same actors running the campaign for most of the extensions.

One of the servers gave off a few clues about the campaign, if in fact those clues can be taken at face value. For one thing, it looks like the crypto wallet raiding campaign could have roots in Russia, given that an admin’s email ends in “r.ru”.

MyCrypt published the following video to show how a malicious extension targeting MyEtherWallet users works.

[embedded content]

Denley said that the process mimics a typical MyEtherWallet experience, until a user types in their secrets. The malicious app sends them back to the C2s, then routes the user back to the default view, and then does … absolutely nothing.

That results in either a frustrated user who submits their secrets again, or maybe even feeds the malware new secrets; or a user uninstalling the extension and forgetting about it until their wallet has been drained dry. The “drained dry” outcome is likely to happen only after the extension has been removed from the store, meaning that a ripped-off user can’t investigate where their security hole was, Denley said.

Some of these nasty extensions have been rated up by a network of bogus reviewers dishing out fake 5-star reviews. The reviews were cursory and low-quality, such as “good,” “helpful app,” or “legit extension.”

Denley says that one extension – MyEtherWallet – had the same “copypasta”, with the same review posted about 8 times and purportedly authored by different users. All of the reviews shared an introduction into what Bitcoin is and an explanation of why the (malicious) MyEtherWallet was their preferred browser extension.

The researchers sent funds to a few addresses and submitted secrets to the malicious extensions. They weren’t automatically swept, however, perhaps because the bad actors are only interested in high-value accounts, or maybe because they have to manually sweep accounts.

Although the researchers didn’t lose their secrets to the malicious extensions, others have publicly posted about losing funds to the extensions on the Chrome support forum, Reddit and Toshi Times.

Google swept the trashy extensions from the Chrome store within 24 hours of getting a heads-up.

Not the first time

Back in February, Google abruptly yanked 500 Chrome extensions off its Web Store after researchers discovered they were stealing browsing data, pulling off click fraud and serving up malvertising. The extensions had installed themselves on millions of users’ computers.

At the time, our advice was to not assume that, just because an extension is hosted from an official web store, it’s safe to use. The cryptocurrency-draining malicious extensions are just the latest of a long string of examples. The best advice:

• Install as few extensions as possible and, despite the above, only from official web stores.
• Check the reviews and feedback from others who’ve installed the extension.
• Pay attention to the developer’s reputation, how responsive they are to questions and how frequently they post version updates.
• Study the permissions they ask for (in Chrome, Settings > Extensions > Details) and make sure they’re in line with the extension’s features. Be suspicious if the permissions change.

Denley had other helpful advice, as well, which you can find on his post. One of his tips is to consider creating a separate browser user that you use solely for cryptocurrency data in order to limit your attack surface, and to separate your personal and cryptocurrency profiles so as to increase the privacy related to your cryptocurrency profile.

Latest Naked Security podcast

When is ICANN going to do something about the explosion of scammy domains spawned by the COVID-19 pandemic?

We can’t, the overseers of the internet said last Tuesday (7 April), throwing its hands in the air and telling domain registrars that they can — and should.

On Wednesday, Agence France-Presse (AFP) reported that the internet domain-name overseers at ICANN – that’s the Internet Corporation for Assigned Names and Numbers – had taken the unusual step of sending a letter to the hundreds of domain name registrars around the globe that are accredited by ICANN to issue new website domain names.

The thing is, ICANN doesn’t have the authority to police website content. We know scammers are running wild, but we’re hamstrung when it comes to stopping them, ICANN chief executive Goran Marby said in the letter:

ICANN cannot, under our bylaw and practically speaking, involve itself in issues related to website content.

That does not mean we are unconcerned or unaware of how certain domain names are being misused in fraudulent activities during this global pandemic.

AFP referred to a recent report from the security research-focused Interisle Consulting Group (ICG) following its review of WHOIS practices among registrars. The report, which was prepared for ICANN, highlights the severity of pandemic scams, which all run on sites provided by registrars around the globe:

The pandemic has led to an explosion of cybercrime, preying upon a population desperate for safety and reassurance. These criminal activities require domain names, which are being used to run phishing, spam, and malware campaigns, and scam sites.

ICG found that last month alone, at least 100,000 new domain names were registered containing terms like “covid,” “corona,” and “virus”, as well as more domains registered to sell items such as medical masks, and yet more domains used to spam out ads for COVID-themed scams.

As of this writing, the number of confirmed malicious COVID-related domains is in the thousands.

The date on the report: 31 March. A few days before that, we saw an example when hijacked Twitter accounts were used to advertise face masks.

Also in late March, the US Department of Justice (DOJ) began prosecuting scam sites, starting with a domain that was hawking the phony-as-a-$3-bill “free coronavirus vaccine”, purportedly from the World Health Organization (WHO), for “only $4.95 to cover shipping costs”.

Who does that? A whole lot of low-lifes, that’s who, as ICANN security chief John Crain told AFP:

COVID-19 is unique in that it is truly global. And the cyber bad guys haven’t drifted toward it – they have rushed toward it like a barrel off Niagara Falls. This is a new low, preying on people at a time like this.

Crain noted that ICANN isn’t a regulator, and it has no enforcement authority per se. The letter lacked regulatory weight; rather, it was meant to remind registrars that “this is not about business as usual,” he said.

Some ARE trying to stop the bad domains

ICANN is throwing its hands in the air, but those hands are, admittedly, tied. But while all it can manage is a “C’mon, guys”, there are people actually taking real, practical action to stem the flow of these scumbag domains.

One such is the COVID-19 Cyber Threat Coalition (CTC): a global volunteer community of individuals and companies that’s come together in the last few weeks to combat cyber threats that are exploiting the pandemic. Sophos is a sponsor.

One of the things the group does is to produce blocklists of known, bad coronavirus-related URLs, domains and IP addresses. It also offers threat advisories, research and mitigation strategies.

As Naked Security’s Mark Stockley points out, it’s not a replacement for what ICANN is trying to do. The group is just another part of the effort to keep us from drowning in pandemic profiteering and misdirection:

ICANN is trying to plug the leak while the COVID-19 CTC is trying to bail out the boat.

Here’s another resource when it comes to fighting the scam spewers: Sophos News is maintaining an ongoing, live report about COVID-19 threats that it’s continuously updating with new information as it becomes available.

Stay safe, be well, and by all means, throw your hat in the ring if you have threat intelligence you can contribute to the CTC. Here’s how.

Latest Naked Security podcast

Fellow US taxpayers, are you eager to get your hands on the $1,200 bailout money you’ve been hearing about? … so eager you’re open to offers to help get it faster?

If you answered ‘Yes’, then please, take heed. Any offer to help you get your COVID-19 economic impact payment is coming from a scammer trying to get their hands on your personally identifying information (PII). That’s just one of a rash of coronavirus-themed tax fraud attacks the Internal Revenue Service (IRS) is seeing, it warned on Tuesday.

It’s tax season in the US: always prime time for criminals to get busy, be it phishing via email or robocalls or by grabbing checks out of unlocked mailboxes from people who aren’t getting refunds via direct deposit.

This year, the IRS is seeing the familiar, seasonal rise in tax-related attacks, but like every other genre of e-crime we’ve seen in recent weeks, it’s now coming with a COVID-19 twist.

These things scream “SCAM!”, the IRS warns:

• When somebody’s emphasizing the words “Stimulus Check” or “Stimulus Payment.” The official term is economic impact payment.
• When somebody asks you to sign over your economic impact payment check to them.
• When somebody asks – be it by phone, email, text or social media – for verification of personal and/or banking information, saying that the information is needed to receive or speed up their economic impact payment.
• When somebody says they can get a tax refund or economic impact payment faster by working on the taxpayer’s behalf. The IRS says that scam could be conducted by social media or even in person.
• When a scammer sends a bogus check, perhaps in an odd amount, then tells the taxpayer to call a number or verify information online in order to cash it.

That’s not how the IRS rolls

Bona fide IRS agents wouldn’t do any of those things, IRS Commissioner Chuck Rettig said. That’s not how it communicates with taxpayers. So please, be wary of such attempts to rip off your tax refund or economic impact payment, he said:

We urge people to take extra care during this period. The IRS isn’t going to call you asking to verify or provide your financial information so you can get an economic impact payment or your refund faster.

That also applies to surprise emails that appear to be coming from the IRS. Remember, don’t open them or click on attachments or links. Go to IRS.gov for the most up-to-date information.

IRS Criminal Investigation Chief Don Fort said that it’s no surprise that criminals are exploiting the current state of uncertainty. The IRS Criminal Investigation Division is working hard to find these scammers and shut them down, he said, but in the meantime, we all have to remain vigilant:

While you are waiting to hear about your economic impact payment, criminals are working hard to trick you into getting their hands on it.

History has shown that criminals take every opportunity to perpetrate a fraud on unsuspecting victims, especially when a group of people is vulnerable or in a state of need.

Heads-up for those without direct deposit

Taxpayers who don’t have their refunds direct-deposited should beware of what the IRS and its Criminal Investigation Division say is a wave of new and evolving phishing schemes that target them in particular. It’s setting up a newly designed, secure portal on IRS.gov in mid-April so that people can provide that direct deposit information. If the IRS doesn’t have your direct deposit information, it will be sending a check to the address they have on file.

Don’t fall for it if somebody you don’t know offers to input your direct deposit or other banking information into the secure portal on your behalf. They’re likely trying to commit financial fraud.

Note: Retirees to get checks automatically

Not only are the elderly at higher risk of death if they get COVID-19. They’re also favorite targets of tax shysters, just as they are with tech-support scammers or other types of e-crooks.

Retirees, keep this in mind: you don’t have to do a thing to get your $1,200 economic impact payment. Nobody from the IRS will be reaching out to retirees – including recipients of Forms SSA-1099 and RRB-1099 – by phone, email, mail or in person asking for any kind of information to complete their economic impact payment, which is also sometimes referred to as rebates or stimulus payments.

The IRS is sending those $1,200 payments automatically to retirees. You don’t have to lift a finger to receive yours.

Report these tax-swindling carpetbaggers

Too often, we’re too embarrassed to speak up when we get swindled. Please don’t be: it’s not your fault. These crooks are experts at milking money out of us.

The IRS is asking those who receive unsolicited emails, text messages or social media attempts that appear to be from either the IRS or an organization closely linked to the IRS, such as the Electronic Federal Tax Payment System (EFTPS), to please forward any information they have to phishing@irs.gov.

It’s also encouraging taxpayers not to egg on potential scammers, be they coming at you online or on the phone. Just get off the phone or the email and report the attempt. You can find out more about reporting suspected scams at the Report Phishing and Online Scams page on IRS.gov.

The agency is also asking us all to go to the original source to get the latest news on tax and economic impact payments. Namely, for official IRS information about the COVID-19 pandemic and economic impact payments, head to the Coronavirus Tax Relief page on IRS.gov. The IRS promises that the page is updated quickly as new information becomes available.

Finally, please check out our report about how to stay on top of coronavirus scams – on top of all the others, too. Stay safe, be well, and get your news from reliable sources instead of scammers!

Latest Naked Security podcast